Changeset 228696 in webkit

Timestamp:

Feb 19, 2018 10:34:07 AM (6 years ago)

Author:

dbates@webkit.org

Message:

Null pointer dereference in WebPageProxy::urlSchemeHandlerForScheme()
​https://bugs.webkit.org/show_bug.cgi?id=182905

Reviewed by Alex Christensen.

Return nullptr when querying for the scheme handler of the null string.

Before a navigation is performed WebKit checks if the destination URL is associated with an app
unless the embedding client overrides the WKNavigationDelegate delegate callback -webView:decidePolicyForNavigationAction:decisionHandler.
If the URL is not associated with an app then WebKit may fall back to checking if the embedding
client registered a scheme handler for it. Currently we assume that the scheme is a non-null
string when checking the scheme handler registry. However the scheme can be a null string if
it is part of a malformed URL. And this leads to bad news bears when we try to use it to look
for a scheme handler. Instead check that the scheme is a non-null string before checking to see
if it is in the scheme handler registry.

• UIProcess/WebPageProxy.cpp:

(WebKit::WebPageProxy::urlSchemeHandlerForScheme):

Location:

trunk

Files:

• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/UIProcess/WebPageProxy.cpp (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/DecidePolicyForNavigationAction.mm (modified) (1 diff)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-02-19  Daniel Bates  <dabates@apple.com>
+
+        Null pointer dereference in WebPageProxy::urlSchemeHandlerForScheme()
+        https://bugs.webkit.org/show_bug.cgi?id=182905
+
+        Reviewed by Alex Christensen.
+
+        Return nullptr when querying for the scheme handler of the null string.
+
+        Before a navigation is performed WebKit checks if the destination URL is associated with an app
+        unless the embedding client overrides the WKNavigationDelegate delegate callback -webView:decidePolicyForNavigationAction:decisionHandler.
+        If the URL is not associated with an app then WebKit may fall back to checking if the embedding
+        client registered a scheme handler for it. Currently we assume that the scheme is a non-null
+        string when checking the scheme handler registry. However the scheme can be a null string if
+        it is part of a malformed URL. And this leads to bad news bears when we try to use it to look
+        for a scheme handler. Instead check that the scheme is a non-null string before checking to see
+        if it is in the scheme handler registry.
+
+        * UIProcess/WebPageProxy.cpp:
+        (WebKit::WebPageProxy::urlSchemeHandlerForScheme):
+
 2018-02-19  Ms2ger  <Ms2ger@igalia.com>
 

trunk/Source/WebKit/UIProcess/WebPageProxy.cpp

@@ -7200 +7200 @@
 WebURLSchemeHandler* WebPageProxy::urlSchemeHandlerForScheme(const String& scheme)
 {
-    return m_urlSchemeHandlersByScheme.get(scheme);
+    return scheme.isNull() ? nullptr : m_urlSchemeHandlersByScheme.get(scheme);
 }
 

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/DecidePolicyForNavigationAction.mm

@@ -562 +562 @@
 }
 
+@interface DecidePolicyForNavigationActionForMalformedURLDelegate : NSObject <WKNavigationDelegate>
+@end
+
+@implementation DecidePolicyForNavigationActionForMalformedURLDelegate
+
+- (void)webView:(WKWebView *)webView didFinishNavigation:(WKNavigation *)navigation
+{
+    finishedNavigation = true;
+}
+
+@end
+
+TEST(WebKit, DecidePolicyForNavigationActionForMalformedURL)
+{
+    auto webView = adoptNS([[WKWebView alloc] init]);
+    auto controller = adoptNS([[DecidePolicyForNavigationActionForMalformedURLDelegate alloc] init]);
+    [webView setNavigationDelegate:controller.get()];
+
+    finishedNavigation = false;
+    [webView loadRequest:[NSURLRequest requestWithURL:[NSURL URLWithString:@"N"]]];
+    TestWebKitAPI::Util::run(&finishedNavigation);
+}
+
 #endif